Luuuk Cybercrime Campaign Steals €500,000 From Large European Bank in One Week

The Luuuk banking Trojan was used to steal €500,000 from 190 banking accounts in just one week.

A new banking Trojan campaign dubbed Luuuk stole €500,000 from 190 victims in two countries in just one week.

The new campaign was identified by security firm Kaspersky Labs which discovered a targeted attack against a single, large and as yet unidentified European bank.

In all more than 190 victims have been identified, most of them located in Italy and Turkey, with the sums stolen from each bank account - according to the logs - ranged between €1,700 to €39,000.

The campaign was identified when a command and control (C&C) server used in the attack was discovered on the net on 20 January.

"The server's control panel indicated evidence of a Trojan program used to steal money from clients' bank accounts at least one week old when the C&C was discovered, having started no later than 13 January, 2014," the company said.

Two days after Kaspersky discovered the C&C server, the criminals removed "every shred of evidence" that could have been used to trace them. However, experts think this was probably linked to changes in the technical infrastructure used in the malicious campaign rather spelling the end of the Luuuk campaign.

Completely new malware

Stefan Tanase, security researcher at Kasperksy, said that while it has not seen the malware itself, it believes that Luuuk looks like a completely new piece of malware, but because he hasn't seen the malware itself, there is a possibility Luuuk could be a heavily-modified version of another trojan.

Once the security company detected the campaign, it contacted the bank's security service and the law enforcement agencies, submitting all evidence to them with the investigation on-going.

The cybercrime gang behind the campaign spread the money between several dummy accounts or drops with varying amounts of money going to different accounts, which Vicente Diaz, principal security researcher at Kaspersky Lab believes indicates certain levels of paranoia among the gang:

"These differences in the amount of money entrusted to different drops may be indicative of varying levels of trust for each 'drop' type. We know that members of these schemes often cheat their partners in crime and abscond with the money they were supposed to cash. The Luuuk's bosses may be trying to hedge against these losses by setting up different groups with different levels of trust: the more money a 'drop' is asked to handle, the more he is trusted."

Kaspersky believes this is not the last we have seen of the Luuuck as the complexity level of the operation suggests to Kaspersky that the attackers will continue to look for new victims of this campaign.